Question about USB sticks and Linux ISOs

If someone got a USB stick from an unknown/potentially sketchy source (e.g. a convention), how safe would it be to secure erase the drive, reformat it, convert it into a Linux ISO, and install Linux using it?

There are some high-level targeted attacks out there and nothing is unhackable, but I assume that it would take so much time and energy that most hackers wouldn’t try anything more than a low-level attack in such a case, assuming that a gullible person will just plug in the USB and use it without erasing or formatting it at all.

In such a case, could the person be reasonably certain that the newly-installed Linux system is clean?

In my opinion the main concern would be not what’s on the USB afterwards, but what was on it before. There could be malware on that stick that runs once you plug it into your computer.
I could be wrong about that, but I do know for sure that you would be better off not opening any file on the drive.
To answer your question, burning an iso into a drive means erasing all of the info on that drive, which means that it probably would be clean assuming that the ISO you used to burn it on was the official ISO.

If anyone below has any ideas for maybe sandboxing the USB that might work for my first point.

1 Like

This is my main concern as well. Before doing anything to try to clean the USB, you would have to plug it into a computer, and most likely if there is a virus on the USB it would be one that runs immediately when connected.

If you really wanted to clean a USB, I guess you’d want to do it on hardware that is totally disposable/resetable and not connected to your network? But is all that effort worth it when you could just by a USB? Assuming it’s totally formatted I guess it would be fine.

@anon7610589, is this like a thought experiment or something you actually want to do?

Well, I hope things continue to go ok for you. Did you nuke the computer you used for the initial clean up of the USB? Nuke as in give it a clean OS install? If not, any potential malware could still be kicking around in there.

What you did to the USB should have worked as far as I know. If it didn’t then it was probably something very advanced which could be tough to find out about, but that’s just baseless speculation.

The general advice would be to not connect a public USB to any computer. If you don’t trust it, leave it alone. Stuxnet, the virus used to attack Iranian nuclear infrastructure, was started by someone finding and using a USB left in public, and it went on to infect 58% of devices in Iran.

I personally would avoid doing this.

Oh, that’s totally different! Yeah, for something like that I would totally be ok with what you did.

I agree. At some point you gotta step back and say “there’s nothing more I could have realistically done.”

1 Like

The main concern would be that its not a USB stick but a rubber ducky (which is registered as a keyboard and quickly downloads malware via cmd). Takes 3 seconds and you’re screwed.

2 Likes

Hi, the problem is not what is on the USB, but rather how does your computer know what type of USB device was plugged in? Think about it, how does your computer know the difference between a USB drive, and a USB keyboard or network adapter.

The only way it knows is because the drive or keyboard identifies itself. So if you plug in something that looks like a drive, but reports as a keyboard, suddenly the attacker has keyboard access. Oops.

Or what if it reports as a network adapter? Or a docking station with a wired network connection in the case of USB-C?

Not to mention…

image

https://usbkill.com/ (although these would be pretty expensive to just have laying around lol)

That would be cool to have in a bait safe labeled “Confidential Documents” or maybe even “Will”. OP always remember the saying “curiosity killed the cat” because it certainly applies here. Just buy a used cheap throwaway computer if you absolutely must know what’s on the stick. Maybe keep it for future tests if it lives lol like some twisted reward.